Content
W32/Suclove@MM
- Type
- Virus
- SubType
- Discovery Date
- 09/26/2005
- Length
- 126,976 bytes
- Minimum DAT
- 4590 (09/26/2005)
- Updated DAT
- 4590 (09/26/2005)
- Minimum Engine
- 5.1.00
- Description Added
- 09/26/2005
- Description Modified
- 09/27/2005 10:04 AM (PT)
Tab Navigation
Characteristics
This is a mass-mailing worm that uses Microsoft Outlook to send itself to all users found in the Outlook address book.
It can also spread via IRC.
It opens a TCP port on the infected machine to allow remote execution of arbitary programs.
It modifies system policies.
Symptoms
When the virus is executed it copies itself several times using the following filenames:
- C:\WINLOGON.EXE
- C:\%Windir%\LoveLetter.doc.exe
- C:\%Sysdir%\dllhost.dll
- C:\%Sysdir%\LOADER32.COM
It disables the use of the Registry Editor by modifying the following registry key:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System "DisableRegistryTools" = 1
It hides files extensions by modifying the following regsitry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\HideFileExt "CheckedValue" = 1
The following registry key is modified so that the user is unable to modify any folder options:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\Explorer "NoFolderOptions" = 1
DLL files become executable by modifying he following registry key:
- HKEY_CLASSES_ROOT\dllfile\shell\open\command\
"Default " = "%1" %*
The following registry keys are also created so that the virus runs at startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\Explorer\Run "Default" =C:\WINLOGON.EXE - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "DLL32" = dllhost.dll
A VBS file is created in the following folder:
- C:\progra~1\micros~1\outlook.vbs
This VBS file contains code that constructs and sends the email message to all in the Outlook Address Book.
It opens TCP port 1111 to allow hackers to execute any arbitary code.
Method of Infection
Mail Propagation
This is a mass-mailing worm that uses Microsoft Outlook to send itself to all users found in the Outlook address book.
The worm arrives in an email message with the following information:
Subject:
- Read my letter for you
The message body reads:
- "this was created from the deep inside my heart"
Attachment:
- LoveLetter.doc.exe
Internet Relay Chat
It attempts to create a script.ini file which contains code for it to spread via IRC
It searches for the following folders on the infected system to create the SCRIPT.INI:
- C:\MIRC
- C:\MIRC32
- C:\Progra~1\MIRC
- C:\Progra~1\MIRC32
Removal
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Variants
Variants
N/A
All Information
Overview -
This is a virus detection. Viruses are programs that self-replicate recursively, meaning that infected systems spread the virus to other systems, which then propagate the virus further. While many viruses contain a destructive payload, it's quite common for viruses to do nothing more than spread from one system to another.
Characteristics
Characteristics -
This is a mass-mailing worm that uses Microsoft Outlook to send itself to all users found in the Outlook address book.
It can also spread via IRC.
It opens a TCP port on the infected machine to allow remote execution of arbitary programs.
It modifies system policies.
Symptoms
Symptoms -
When the virus is executed it copies itself several times using the following filenames:
- C:\WINLOGON.EXE
- C:\%Windir%\LoveLetter.doc.exe
- C:\%Sysdir%\dllhost.dll
- C:\%Sysdir%\LOADER32.COM
It disables the use of the Registry Editor by modifying the following registry key:
- HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\
Policies\System "DisableRegistryTools" = 1
It hides files extensions by modifying the following regsitry key:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Explorer\HideFileExt "CheckedValue" = 1
The following registry key is modified so that the user is unable to modify any folder options:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\Explorer "NoFolderOptions" = 1
DLL files become executable by modifying he following registry key:
- HKEY_CLASSES_ROOT\dllfile\shell\open\command\
"Default " = "%1" %*
The following registry keys are also created so that the virus runs at startup:
- HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
policies\Explorer\Run "Default" =C:\WINLOGON.EXE - HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\
Run "DLL32" = dllhost.dll
A VBS file is created in the following folder:
- C:\progra~1\micros~1\outlook.vbs
This VBS file contains code that constructs and sends the email message to all in the Outlook Address Book.
It opens TCP port 1111 to allow hackers to execute any arbitary code.
Method of Infection
Method of Infection -
Mail Propagation
This is a mass-mailing worm that uses Microsoft Outlook to send itself to all users found in the Outlook address book.
The worm arrives in an email message with the following information:
Subject:
- Read my letter for you
The message body reads:
- "this was created from the deep inside my heart"
Attachment:
- LoveLetter.doc.exe
Internet Relay Chat
It attempts to create a script.ini file which contains code for it to spread via IRC
It searches for the following folders on the infected system to create the SCRIPT.INI:
- C:\MIRC
- C:\MIRC32
- C:\Progra~1\MIRC
- C:\Progra~1\MIRC32
Removal -
Removal -
All Users:
Use current engine and DAT files for detection and removal.
Modifications made to the system Registry and/or INI files for the purposes of hooking system startup, will be successfully removed if cleaning with the recommended engine and DAT combination (or higher).
Additional Windows ME/XP removal considerations
Variants
Variants -
N/A
